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' We introduce the notion of non-malleability of a quantum state encryption scheme (in 

(•~^ , dimension d): in addition to the requirement that an adversary cannot learn information 

CS| ' about the state, here we demand that no controlled modification of the encr5^ted state can 

[ be effected. 

D ' We show that such a scheme is equivalent to a unitary 2-design [Dankert et ah], as opposed 
pLn , to normal encryption which is a unitary 1-design. Our other main results include a new 
' proof of the lower bound of {d^ — 1)^ + 1 on the number of unitaries in a 2-design [Gross et 
T— I i al.], which lends itself to a generalization to approximate 2-design. Furthermore, while in 
' prime power dimension there is a unitary 2-design with < d^ elements, we show that there 

(— I I are always approximate 2-designs with 0{e^^d'^ log d) elements. 

^ '. INTRODUCTION 

a ■ 

The ordinary (and in terms of secret key length, optimal) encryption of quantum states on n 
■ qubits is by applying a randomly chosen tensor product of Pauli operators (including the iden- 

^ . tity). This requires 2n bits of shared secret randomness, corresponding to the 4" Pauli operators. 

K*" I (More generally, for states on a d-dimensional system, one can use the elements of the discrete 

^ ■ Weyl group - up to global phases - of which there are d^.) This is perfectly secure in the sense that 

' the state the adversary can intercept is, without her knowing the key, always the maximally mixed 

O I state. For perfectly secure encryption with random unitaries, it was shown in [2] that 2n bits of 

OO ' secret key are also necessary for n qubits. The lower bound of 2 bits of key per qubit continues 

^ ■ to hold even for e-approximate encryption (up to expressions in e), but there it becomes relevant 

Q ! how the approximation is defined — whether it randomizes entangled states or not [see Eq. ((2^ 

^ I and (|25 below]. In [16] it was shown that in the latter case one gets away with n + o{n) key bits 

k> ' arbitrary n-qubit states; their construction was derandomized later in and [11]. 

, However, even perfectly secure encryption allows for a different sort of intervention by the 

I adversary: she can, without ever attempting to learn the message, change the plaintext by effect- 

ing certain dynamics on the encrypted state. Consider briefly the classical one-time pad, i.e. an 
n-bit message XORed with a random n-bit string: by flipping a bit of the ciphertext, an adversary 
can effectively flip any bit of the recovered plaintext. In the quantum case, due to the (anti- 
)commutation relations of the Pauli operators, by applying to the ciphertext (encrypted state) 
some Pauli, she forces that the decrypted state is the plaintext modified by that Pauli: for an 
n-qubit state \ip), any adversary's Pauli operator Q and secret key Pauli P^, the decrypted state is 

PlQPkl^) = CQ\^), 

with some (unimportant) global phase C = C{P: Q)- 

This is evidently an undesirable property of a encryption scheme, and can be classically ad- 
dressed e.g. by authenticating the message as well as encrypting it. Interestingly, in the above 
quantum message case, it was shown in [4] that authenticating quantum messages is at least as 
expensive as encrypting them (it actually encrypts the message as well): one needs 2 bits of shared 
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secret key for each qubit authenticated, even in the approximate setting considered in 1^. Clas- 
sical non-malleable cryptosystems include both symmetric and asymmetric encryption schemes, 
bit commitment, zero knowledge proofs and others [12,]. 

Here we will introduce a formal definition of perfect non-malleability of a quantum state en- 
cryption scheme (NMES), i.e. resistance against predictable modification of the plaintext, as well 
as of two notions of approximate encryption with approximate non-malleability. We show that a 
unitary non-malleable channel is equivalent to unitary 2-design in the sense of Dankert et al. [9]. 
We use this fact to design an exact ideal non-malleable encryption scheme requiring 5 log d bits 
of key. Also, the lower bound of Gross et al. fl^ for unitary 2-designs applies for perfect NMES; 
we give a new proof of their result that at least {d? — 1)^-1-1 unitaries are required, which also 
yields a more general lower bound of (4 — 0(e)) logd on the entropy of an approximate unitary 
2-design. Finally we demonstrate that approximate NMES (unitary 2-designs) exist which require 
only 4 log d + log log d + O (log 1/e) bits of key. 



I. GENERAL MODEL OF ENCRYPTION 

Suppose Alice wants to send a secret quantum message to Bob, say an arbitrary state p € B{H), 
a Hilbert space of dimension d. For this purpose they will use a encryption scheme with pre- 
shared secret key K as follows. K is distributed according to some probability distribution pi^(A;) 
and for each k there is a pair of c.p.t.p. (completely positive and trace preserving) maps 

Ek : B{n) — > B{n') and : B{rL') — > B{n) 

for encryption and decryption. The combined effect of en- and decryption, averaged over all keys, 
is described by a c.p.t.p. map (noisy quantum channel) R : B(TC) — > B{7i), acting on operators 
on 7i as 

R{p) = Y,PK{k)Dk{Ek{p)). 
k 

Similarly, for an adversary who intercepts the encrypted state but doesn't know the secret key, we 
have an average channel R' : B{H) — > B(H'), 

R'{p)=Y,PK{h)Ek{p). 

k 

Loosely speaking, the quality of the scheme is described by two parameters: first, the reliability, 
i.e. how close R is to the ideal channel; secondly, the secrecy, i.e. how close R' is to a constant 
(meaning a map taking all input states to a fixed output state). In an ideal scheme, R = id and 
R' = const., i.e. there is a state on Ti' , such that 

Vp R{p) = p, (1) 
Vp i?'(/9)=Co. (2) 

The issue of approximate performance is a little bit tricky: whereas for the reliability of com- 
munication there is essentially one notion, namely, for J > 0, 

Vp \\p-R{p)\\i<5, (1') 

there are two asymptotically radically different notions of secrecy. One is the "naive" one 

Mp \\R\p)-i4^<e (20 
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that does not randomize entangled states when applied locally. 

The "correct" (composable!) definition takes into account the possibility to apply R' to part of 
an entangled state: 

V/912 \\{R' ® id)pi2 - <eo ® P2II1 < e. (2") 

We note that the two conditions coincide in the ideal case e = 0. 

The minimal key length required for (approximate) encryption reflects whether Eq. or 
Eq. l|2^ is used. In the former case log d bits of key are necessary, and log d + o(log d) bits of 
key are sufficient 10, to randomize quantum system of dimension d, while in the latter case the 
key length essentially coincides with the exact encryption case and equals (2 — 0(e)) log d [2]. 

II. NON-MALLEABILITY 

There is, of course, a simple scheme of encryption that implements an ideal scheme: on n 
qubits, use a key of length 2n and apply an independent random Pauli operator to each qubit. 
(More generally, in dimension d, the key identifies one of the discrete Weyl operators made up 
of the basis shift and phase shift operators.) The adversary evidently cannot see any information 
about the plaintext state, but she can use the ciphertext in another way: by modulating the cipher- 
text with an arbitrary Pauli operation, she can effectively implement this Pauli transformation on 
the plaintext state. 

We shall show that this is not at all a necessary feature of any encryption scheme. There are, 
however, always two possible actions for the adversary (and their arbitrary convex combination). 
Namely, not to interfere at all, resulting in correct decryption of the state p sent; or interception 
of the ciphertext and its replacement by a state 770 on Ti' , resulting in Bob always decrypting 
the constant state po = J2kPK{k)Dk{vo)- Iri other words, assuming the adversary implements 
an arbitrary quantum channel, i.e. a completely positive and trace non-increasing (c.p.t.<) map 
A : B{H') — > B{TL'), the class of effective channels on the plaintext she can realize, namely all 
channels 

A : B{n) — > B{rC) s.t. 

J]pi^(A:)I?fc(A(i5;fc(/9))), 

k 

will include all convex combinations of the identity (up to approximation as specified by e) and 
the completely forgetful channels (po) mapping all inputs to the state po = J2kPK{k)Dk{rio), with 
arbitrary 

We call an encryption scheme (perfectly) non-malleable, if these are the only effective channels 
the adversary can realize, i.e. if for every A, A is in the semi-linear span of id and the {po), 

AgC:= semi-lin ^{id} U |(po) ■ P ^ Po = ^Px(A:)i?fe(r/o) |^ , (3) 

with semi-lin being the semi-linear hull, i.e. with any family of elements it also contains all their 
linear combinations, subject to complete positivity of the resulting operator. [Clearly, in the above 
the convex hull can be realized by an adversary; however, in general the full semi-linear hull is 
accessible; e.g. for the Haar measure on the unitary group - and infinite key - the only constant 
channel is (r), with the maximally mixed state r = ^1, cf. the beginning of the next section, in 
particular eqs. (|l]l-(|6l) On the other hand, any traceless unitary by the adversary results in the 
effective channel A(p) = ^^^^ (d^r — p) .] 
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Also, a word on why we demand this for all c.p.t.< maps, which is a strictly larger class than 
c.p.t.p.: note that the adversary could implement an instrument [10], which is a resolution of a 
c.p.t.p. map into c.p.t.< ones. One of them will act randomly, but the adversary can learn which 
one, so could effectively correlate herself with the effective channel A. 

As before, this is to be understood up to approximations: for every effective channel A there is 
G G C such that 

Vp \\Aip)-e{p)\\^<e. (30 

However, again the "correct" (composable) definition has to take into account the possibility of 
applying the effective channels to part of an entangled state: 

Vpi2 ||(A®id)pi2 - (e«)id)pi2||^ < 0. (3") 

We call the scheme strictly non-malleable, if Eq. ^ or (HJ or ((3^ holds for some set C' = 
semi-lin {id, {po)} instead of C. (In other words, there is essentially only one constant channel 
in C, independent of tjq.) Perfect non-malleability then corresponds to = 0, in either Eq. ijSj or 

m 

III. MAIN RESULTS 

In this paper we restrict ourselves to the "minimal" case, when 7i' = H is a d-dimensional 
Hilbert space, and to perfect transmission, i.e. Eq. This entails that Ek is conjugation by a 
unitary Uk, while is simply the inverse, i.e. conjugation by C/^: 

Ek (p) = UkpUl , Dk{a) = ulaUk . 

Since convex combinations of unitary conjugation channels are unital, in an encryption scheme 
all input states are encrypted as the maximally mixed state = t := in Eqs. (HJ, ^} and ((2^ . 
(For a more general discussion see [5].) This means that the adversary can always implement 
channels 

e G C' = semi-lin {id, (r)}, (4) 

where (r) is the completely depolarizing channel. Conversely, we demand that these are the only 
ones she can achieve: for every c.p.t.< map A, we demand that the effective channel A G C, with 

Hp) = Y.PKik)ul{A{Ukpul))Uk. 

k 

This can be conveniently re-expressed using the Choi-Jamiolkowski operators for the 

maximally entangled state = j Y^i^Lo N)OjI on two systems labelled 1 and 2, let w = Ja := 
(A (g) id)<I>(i. Note that Tr Ja < 1 and that A can be be recovered from the Choi-Jamiolkowski 
operator as follows: 

A(p) =(iTr2((l0/)JA), (5) 

where p^ is the transpose operator of p with respect to the basis {\i)}flQ- The image of the set C 
under the Choi-Jamiolkowski isomorphism is the set of bipartite positive operators 

(C ® id)$rf = semi-lin {^a, r O r} = M>o^>d + M>o(l - =: I, (6) 
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which are (up to normalization) just the so-called isotropic states. Note that these are exactly the 
(semidefinite) operators invariant under conjugation with U ^ U, and that integration over the 
Haar measure dU implements the projection into 2: for every operator X, 

J dU{U 0U)X{U 0U)^ = a<^d + Pit - ^d), witha = TYX$rf, p = -^^^Ti X{1 - <^>a). (7) 

The c.p.t.p. mapping from X to the above average is known as the U (g) ?7-twirl, denoted T^j^^jj. 

On the other hand, exploiting the symmetry <^d = [U U)^d{U (S) U)^, we can write the Choi- 
Jamiolkowski operator of the effective channel, 

S = (A (g) id)$rf 

= Y,PK{k){Uk t)^ [(A id)(([/ (g) l)^d{U 1)^)] (Uk 1) 

k 

= ^PK{k){Uk ^ 1)^ [(A id)((l ® C/,T)1>d(l ® Uj[)^)] [Uk ® 1) 

k 

= ^ PKikKUk ^ W [(A » id)^d] {Uk ® Uk) 

k 

= ^PKik){Uk ^TA)^io{Uk 011^) =: T{lo), 
k 

where T is manifestly a c.p.t.p. map. The condition that {pK [k) , Uk } forms a perfect NMES is now 
concisely expressed as T = Tjj^ij- 

This is precisely the condition for a so-called unitary 2-design see also ll^ . Note that mod- 
ulo a partial transpose, the U ?7-twirl is equivalent to the more familiar U ® [/-twirl 

TumiX) = [ dU{U (g) U)X{U ® U)^ = aF + p{t - F), 



with the swap (or flip) operator F = Ylijto IuXj^I/ rnapping density operators to Werner 
states [19]. Thus we have proved. 

Theorem 1 Every perfect non-malleable encryption scheme is a unitary 2-design. □ 

Corollary 2 Any perfect non-malleable encryption scheme, i.e., an ensemble of unitaries {pK{k),Uk} 
satisfying A G C', is automatically an ideal encryption scheme, i.e. Eq. holds. 

Proof By Theorem[T]a perfect NMES is a unitary 2-design. But then it is automatically a unitary 
1-design, meaning that for all p, J2k PK{k)UkpUl = r, which is precisely Eq. □ 

Theorem 3 Every perfect non-malleable encryption scheme {pxik), Uk} requires at least (d^ — 1)^ + 1 
unitaries. Furthermore, every 6-NMES as in Eq. iTl with 9 < 1/e satisfies 



H{pk) > H2 + 2 (^1 - 1) log(d2 - 1) - 40 log d - H2{e) > (4 - O(0))logd, 

where H2{x) = —x log x — (1 — x) log(l — x) is the binary entropy. 

Remark In the light of Theorem [TJ the first part amounts to a demonstration that 2-designs have 
to have at least (d^ — 1)^ + 1 unitaries; this was proved by Gross et al. [15], but we give a different, 
direct, proof below. It seems that it is conjectured that in fact the better lower bound d^{d^ — 1) 
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holds in general - which is true for so-called "Clifford twirls", and tight in some dimensions |@, 
1^ 



Proof Consider the Choi-Jamiolkowski operator of T , labeling the systems 1, 2, 1' and 2', and 
with the maximally entangled state understood between systems 12 and 1'2': 

On the other hand, for the first part of the theorem this has to be equal to 

N 
k=l 

Comparing ranks of the two right hand side expressions reveals immediately N > {d? — 1)^ + 1. 

For the entropy statement in the approximate case, we note that by Eq. (f3^ , \\^ — f^^f^^\\l < 9, 
so by Fannes' inequality [13] and Schur concavity of the entropy lisl ]. 

h{pk) > s{n) > s{%^jj) -e\og(f - H2{e), 

and we are done. □ 

Theorem 4 (Chau [7], Gross et al. If d = is a Tprime power, then there exists a perfect non- 
malleable encryption scheme with — unitaries, meaning that the key length is < 5 log d. In fact, 
such a scheme is obtained as the uniform ensemble over a particular subgroup of the Clifford group (i.e., the 
normalizer) of the n-th power Heisenberg-Weyl (oka generalised Pauli) group Vp"', where Vp is the group 
generated by the discrete Weyl operators 

^p = Eii+i modpXil, Zp = Y,e'''"'hm- 

j=0 k=0 

Proof Apart from Chau f?] see Gross et al. as well as the crisp presentation of Grassl (l^]- □ 

Remark We note that in even prime power dimension, the cardinality of the subgroup can be 
reduced to [d^ — d^)/8. Furthermore, Chau [7] showed that for several small dimensions the 
minimum d'^ — d^ is attainable; see also Gross et al. for another example of 2(d^ — d^). 

Theorem 5 For < < 1/2 there exists a 6-NMES with 0{9~'^d'^ log d) unitaries, i.e. with key require- 
ment o/4 log d + log log d + O (log ^) bits. In fact, Eq. (O holds in the stronger form 

{l-e)Q <A< {1 + 9)0. (3*) 

Proof Start from any exact unitary 2-design, such as the unitary group with Haar measure, or 
the Clifford group or one of its admissible subgroups. We shall select Ui,. . .Un independently at 
random from that chosen 2-design, and show that Eq. (|3*) is true with high probability as soon 
as 9~'^d'^ log d; which of course implies that there exist a particular selection of an ensemble 
{l/7V,i7fc}f^i satisfying da!). 

In fact, it is sufficient to show that for T{uj) = J2k=i(^k U k)oj{Uk ® Uk)K 

(1 - 0) W < < (1 + ^) 



7 



which in turn is equivalent to the corresponding statement for the Choi-Jamioikowski states - 
compare Eq. (O: 

{i-o)n^^u<n<(i + 0)n^^jj, 

where 

%m = i^ulu ^ = ^^^^ ^ ^7 + ^1(^(1 - ® it - 

fc=i 

Now is a random variable, in fact an average of independent, identically distributed terms 
Xk := [Ul ®ul® t^'^')^d-^{Ul ®ul(^ l^'2')t with expectation EX^ = Ef) = AH are 

bounded between and 1, so the technical result from ^ applies, the operator Chernoff bound, 
yielding (with a universal constant c > 0) 

Pr{(i - e)n^^jj <n<ii + e)%^jj} > i - 2d^e-^^'^/'^^ 

which implies the claim. □ 



IV. DISCUSSION 

We have introduced the cryptographic primitive of a non-malleable quantum state encryption 
scheme. While many questions remain open, we have shown that every such scheme based on 
random unitaries is a unitary 2-design, showing in particular that every such scheme must use 
4 log d bits of key, as opposed to the well-known 2 log d necessary and sufficient for quantum state 
encryption [2|]. 

This situation essentially persists even if we relax the non-malleability to being approximate. 
On the other hand, there exists an exact construction based on the Jacobi subgroup of the Clif- 
ford group in dimension d, which requires 5 log d bits of key, and we show a new randomized 
construction requiring only (4 + o(l)) log d bits of key. We leave open the question of finding an 
explicit description of such a scheme, as well as that of finding an exact unitary 2-design with 
only O(d^) elements. 

What we also leave open is the perhaps more pressing problem of relaxing the condition that 
encryption is done by unitaries. Giving up this restriction results in an advantage in key size, 
see the work of Barnum et al. l^]. More precisely, these authors show how using 2n + 0{s) bits 
of secret key to encrypt n — s qubits into n qubits results in a 0-NMES with 6 = 2~^^'^\ In our 
setting this can be understood as only using do < d of the Hilbert space dimensions for quantum 
information. Then, to transmit a state in the do-dimensional space Ho C H, first s key bits are used 
to specify a unitary rotation Vi of H, and then the familiar further 2 log d bits of key are used to 
encrypt H. If the Ve {£ = 1, . . . , 2*) are "sufficiently random" and 2* > d/do then it can be shown 
that while the adversary can implement certain effective channels on H, for most £ this will map 
the state significantly outside of He := VeHo. 
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